Overview

Play ransomware launched in June 2022, since which time organisations across the world have been successfully targeted. The ransomware has notoriously targeted organisations in the Latin American region, mainly Brazil. The Play ransomware group has previously been observed to have used various infection vectors within their attack chain. Examples include the use of Cobalt Strike for post-compromise operations and SystemBC RAT with regards to target persistence. Play ransomware consistently targets compromised valid accounts or unpatched Fortinet SSL VPN vulnerabilities as a means of establishing a foothold in the target network. As with the majority of modern ransomware1 variants, Play uses living-off-the-land binaries (LOLBins) to achieve its objective within target systems. These include the use of WinSCP for data exfiltration purposes as well as the Task Manager for Local Security Authority Server Service (LSASS) process dumping.

More recent Play ransomware campaigns have involved the exploitation of the ‘ProxyNotShell’ vulnerabilities discovered in Microsoft Exchange. Play ransomware is also known to employ similar behavioural trends and tactics as the HIVE and Nokoyawa ransomware variants2.

Play ransomware has been deployed in prominent attack campaigns, including those against Argentina’s Judiciary of Cordoba in August 2022 and more recently against network systems in the City of Oakland in March 2023.

In April 2023, the Play ransomware group were detected to have implemented campaigns involving the development of two custom tools in .NET, namely “Grixba” and “VSS Copying Tool”.